IoT: A hacker’s dream come true?

There’s a lot more to the web than the cat-video-laden sites we normally see. In fact, according to most sources, the web that we can typically get to via our browser of choice represents only a small fraction of what’s out there.

This deep web is an ocean of content that is not visible to search engines and cannot be easily stumbled over – existing as it does behind locked forms, encrypted connections, and hidden systems. Yet, even within the deep web there are darker corners, where the information isn’t just difficult to find, but actively hidden, and often for good reason.

This is the dark web, the stuff of breathless news reporting and nervous collar-fingering in the halls of power. And on the dark web, along with people who legitimately don’t want the government – *any* government – peering over their shoulders, are those whose stock-in-trade are things best not discussed in polite company.

The dark web is the home of illegal sales and bot-net rental services. It’s a place you don’t get to by accident, and it exists because, if there’s anything we can guarantee about human nature, it’s that for every sunny plaza we build, there’ll be a dark alley around the corner.

And that same tendency towards misuse and misappropriation will inevitably affect that next great technology deployment, the Internet of Things (IoT). The IoT is likely to be the hacker’s dream come true. A massive expansion in technology and systems, with little oversight, no real rules, and rolled out in many cases by companies with little or no history is cybersecurity. The IoT will consist of billions of devices existing in every nook and cranny of our public, work, and private lives, constantly on, and yet without anything in the way of legislative or industry mandates to keep it safe and secure.

Most “things” will likely operate safely and securely without interference, but there will be some portion of the IoT that will attract the attention of the very same people and organizations who build botnets, steal IP, and carry out pay-for-DDOS attacks using the far less extensive internet we see now. If there is an IoT, a “dark IoT” will follow as inevitably as dusk follows dawn.

I suspect that the dark IoT will consist of a body of compromised devices that are either explicitly feeding information to illicit sources, or are perhaps laying dormant for some future use. Whether it’s commercial devices acting as vulnerable Achilles heels to a corporate network, or some city control system doing double time as bot nets, the uses for the dark IoT will evolve in the same way as the purposes for the dark web have changed.

Just like the dark web, the dark IoT will operate quietly, under the radar, without most of us knowing. And just like the dark web, once it exists, the dark IoT will likely be with us for a long, long time. Of course, the better security we build into devices now, and indeed, the better able we are to detect when a device is compromised, the more we can manage the growth of a dark IoT. Rather like weeds in a garden, it’s far easier to control the initial growth than it is to eradicate them once they are established.

The key here, I believe, is to establish a method that enables us to do two things:

1. Monitor the lifecycle and behavior of devices so that we can better understand when and if they have been compromised. This will especially important for IoT devices that are within or around critical infrastructure.

2. Establish method of updating security (or simply taking the device offline) once we can identify that a device has “gone over to the dark side.” This is actually more important than attempting to build in perfect security out the box, since the complexity of the IoT will probably preclude perfect security from the start line.

If we fail to do both, we are back to playing the same fruitless blame game we’ve been playing for the past decade when it comes to general cyber security – only on a much bigger scale.

The IoT will change much about the way we use technology, but if we want to keep some degree of security and privacy, we have to accept that the human tendencies embodied in the dark web represent something too fundamental for us to expect the IoT to change.